The fifth anniversary of the General Data Protection Regulation (GDPR) in Croatia has ushered in an unforeseen and substantial transformation in the sphere of data protection. This notable shift is characterized by a surge in enforcement actions led by the Croatian data privacy watchdog, commonly known as the Personal Data Protection Agency (DPA – in Croatian AZOP). In stark contrast to the relatively quiet initial three years following the enactment of the GDPR (2018-2021) in Croatia, 2023 has become a turning point, witnessing a seismic shift in Croatian data protection enforcement.
A standout case in this wave of enforcement actions involves a local debt collection company that incurred a staggering fine of EUR 5.4 million, setting a new record for the highest penalty in the enforcement history of the Croatian DPA. This substantial penalty was imposed due to the company’s failure to implement necessary technical and organizational measures, engaging in the processing of sensitive personal data without having a legal basis, and neglecting to adequately inform data subjects about processing activities. Furthermore, the company was found to have been actively tracking the health status of individual debtors and recording phone calls with them for a period of seven months without any legal basis for such recordings, and in contradiction with its stated privacy policies. In a public announcement regarding its decision, the Croatian DPA additionally offered clarification on the appropriateness of including the phrase “This call may be recorded” in a privacy notice provided during a telephone call with a data subject. Specifically, the Croatian DPA held that such wording did not comply with transparency obligations set out in the GDPR.
In a separate case involving a different debt collection company, the Croatian DPA levied a significant fine of EUR 2.26 million. The penalties in this instance were a result of the DPA’s findings that the company failed to provide essential information about its data processing practices, make an appropriate data processing agreement with a relevant processor, and implement adequate security measures, leading to a loss of control over data flows. In its press release about the infringement decision, the DPA underscored aggravating factors in this case, including the company’s lack of cooperation and its failure to take remedial actions.
The DPA’s vigilance extended beyond debt collection activities to e-privacy concerns, with a specific focus on the use of cookies on websites. Notably, two fines were imposed on companies operating in the gambling and betting sector, totaling EUR 20,000 and EUR 30,000, respectively. The DPA identified shortcomings in these controllers’ processing activities, citing a lack of a proper legal basis for storing cookies and processing personal data, as well as the controllers’ failure to enable users to freely give and withdraw consent. Criticism was also directed at the controllers’ cookie banners, which were accused of bundling consent for all types of cookies, rather than allowing users to specify their preferences.
In conclusion, the intensified enforcement efforts led by the Croatian DPA mark a turning point for businesses immersed in data-intensive industries. As the regulatory landscape undergoes an evolution, the imperative for organizations to prioritize robust data protection measures grows more critical. Navigating the intricate terrain of compliance and staying clear of non-compliance pitfalls become paramount considerations in this dynamic environment. The recent decisions and clarifications emanating from the Croatian DPA not only serve as a guidepost for businesses but also provide valuable insights. For organizations striving to align their data collection practices with the exacting requirements of the GDPR, these developments underscore the importance of keeping up with the evolving regulatory landscapes. Businesses are encouraged to proactively adapt their data protection strategies, ensuring not only compliance but also safeguarding the privacy rights of individuals in an ever-changing digital landscape.
By Marija Gregoric, Partner, and Lovro Klepac, Senior Associate, Babic & Partners
This article was originally published in Issue 10.12 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.